Re: How to track system changes?
Very valuable insights. That’s a great idea. The rysnc script was ksh/bash or cron? Ideally I’d like to use Python to tackle something like this but I’m not against learning shell. > On Apr 4, 2022, at 2:02 PM, Nick Holland wrote: > > On 4/4/22 11:32 AM, Eric Thomas wrote: >> I want to have a high degree of confidence in my system's state >> (packages that have been added, configs that have changed, permissions >> changed, etc). I've read about "read only filesystems" and the >> pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). >> Aside from that, is there a way to... >> 1. ...hash the file system in some way and monitor for changes? OR >> 2. ...somehow review changes that have taken place (a log somewhere)? >> The goal is to concretely know whether the state of the system has >> changed, then point to what EXACTLY has changed. >> Anyone doing something similar? >> Thank you > > Something I came up with which worked out really well at my employer was > a backup system that used rsync and the --link-dest option to make a useful > rotated disk-based backup of current systems. When they said, "We want some > kind of file integrity monitoring system", I puzzled over all kinds of ways > to look for altered files...but it suddenly hit me -- I HAD a list of all the > altered files -- the output of the rsync --link-dest backup run! > > Took that output, ran it through a "grep -vf exclusionlist", where > "exclusionlist" was a list of files (in regex form) I EXPECTED change on...and > I had a daily output of all unexpected changed files. I called it the > "File Alteration Reporting Tool", but my coworkers thought another name would > be more appropriate for some reason. :D > > It was really quite interesting. Never found a real security breach (yay), > but learned a LOT of new things about the software running on our systems, > and to the point -- we found a few things that prompted us to go kicking trees > to find out what someone had done that we weren't aware of. I call that > success. > > Yes, I'm working on re-doing it (i.e., clean slate so my (former)employer has > no gripes (and no internal information disclosure), but if you are adept at > scripting, it wasn't too difficult. > > Nick. >
How to track system changes?
I want to have a high degree of confidence in my system's state (packages that have been added, configs that have changed, permissions changed, etc). I've read about "read only filesystems" and the pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). Aside from that, is there a way to... 1. ...hash the file system in some way and monitor for changes? OR 2. ...somehow review changes that have taken place (a log somewhere)? The goal is to concretely know whether the state of the system has changed, then point to what EXACTLY has changed. Anyone doing something similar? Thank you
Internal Logging?
I'd like to understand more about how OpenBSD logs internal events such as: - pkg_add/delete events - user logins - X session start/stops etc. Is there "one big log" where all of these types of events are stored? Or are they logged in specific directories depending on log type? Which log directories do you monitor? Thank you!
Re: How to rebuild the ports tree?
@Stuart
Disregard! I see now that the `make FETCH_PACKAGES= install` installed
everything. I assumed it would get the large packages only.
Looks like running `unifi info` yields all relevant info.
Thank you very much for the patience and expertise.
On Sat, Apr 2, 2022 at 6:16 PM Eric Thomas wrote:
>
> @Stuart
>
> > I really recommend using FETCH_PACKAGES
>
> Thank you for the (repeated!) recommendation to use `make
> FETCH_PACKAGES= install`. I had originally tried the command but
> missed that CRITICAL space ' ' between `=` and `install`. Now that I
> have that corrected, the `make` went very quickly.
>
> >"pkg_info | grep unifi" will show some output if it is installed
>
> Nice! After running `make`, `pkg_info | grep unifi` shows:
> "unifi-6.2.26 controller for Ubiquit..."
>
> Last(?) issue:
> Running `pkg_add unifi` (or `unifi-6.2.26`) from
> `/urs/ports/net/unifi/6.2` results in:
> "quirks-4.54 signed on 2022-03-26T14:02:422
> Can't find unifi"
>
> How do I get the custom build to a location where pkg_add can "see it"?
>
> On Fri, Apr 1, 2022 at 8:30 AM Stuart Henderson
> wrote:
> >
> > On 2022-04-01, Eric Thomas wrote:
> > > @Crystal
> > >
> > >> If you want to work with the ports tree, it's _much_ better to set up
> > >> DPB than just running 'make' in the various directories:
> > >
> > > Very cool blog! I def spent some time reading. The dpb method feels
> > > like a litle too advanced for me at this moment. I'm struggling to
> > > get this UniFi port built using the standard setup.
> >
> > The only places I use dpb are 1) for bulk builds, i.e. building the
> > whole set of ports in one go, and 2) if I want to download all the
> > distfiles (source code to all the ports) if I want to run a search
> > over it all.
> >
> > It's useful but I would not describe it as useful for what most people
> > need to do with the ports tree.
> >
> > > @Stuart
> > >
> > > 1. I was able to restore a previous checkpoint (I'm in a virtual
> > > machine) where the port tree was freshly installed.
> > > 2. I ran `make install` in the correct directory ( thank you:
> > > `/usr/ports/net/unifi/6.2`) and piped the results to a log.txt file.
> >
> > I really recommend using FETCH_PACKAGES so you aren't spending hours
> > building difficult-to-build ports needlessly, unifi itself cannot be
> > distributed as packages, but the other software which it requires aren't
> > a problem. i.e. this bit from my mail:
> >
> > >> memory limits, you probably want to install those from packages instead
> > >> ("make FETCH_PACKAGES= install" should do that - the unifi port would
> > >> have displayed a hint about this when you ran "make").
> >
> >
> > > 3. I wish I could figure out how to get the dang log.txt file out of
> > > the OpenBSD VM (email?, USB thumbdrive?, other?) and into your hands!
> >
> > the easiest options are based around connecting to the machine by ssh
> > e.g.
> >
> > - ssh in, copy and paste from the terminal
> > - scp or sftp the file to another machine
> >
> > > - Seems like an act of congress to setup external email. At least
> > > I can't find a simple example on the web
> >
> > either use a mail client that can connect to your mail server directly,
> > or use something like this
> > https://blog.joelg.net/post/2020-09-20-setting-up-opensmtpd-with-an-external-relay/
> >
> > if you need to use a From address that is something other than
> > @ then it gets more complicated
> >
> > > - It'll probably be easier for me to determine how to add USB
> > > drives to the VM (working on it)
> > > 4. I can't tell whether the `make install` worked or not
> >
> > "pkg_info | grep unifi" will show some output if it is installed
> >
Re: How to rebuild the ports tree?
@Stuart
> I really recommend using FETCH_PACKAGES
Thank you for the (repeated!) recommendation to use `make
FETCH_PACKAGES= install`. I had originally tried the command but
missed that CRITICAL space ' ' between `=` and `install`. Now that I
have that corrected, the `make` went very quickly.
>"pkg_info | grep unifi" will show some output if it is installed
Nice! After running `make`, `pkg_info | grep unifi` shows:
"unifi-6.2.26 controller for Ubiquit..."
Last(?) issue:
Running `pkg_add unifi` (or `unifi-6.2.26`) from
`/urs/ports/net/unifi/6.2` results in:
"quirks-4.54 signed on 2022-03-26T14:02:422
Can't find unifi"
How do I get the custom build to a location where pkg_add can "see it"?
On Fri, Apr 1, 2022 at 8:30 AM Stuart Henderson
wrote:
>
> On 2022-04-01, Eric Thomas wrote:
> > @Crystal
> >
> >> If you want to work with the ports tree, it's _much_ better to set up
> >> DPB than just running 'make' in the various directories:
> >
> > Very cool blog! I def spent some time reading. The dpb method feels
> > like a litle too advanced for me at this moment. I'm struggling to
> > get this UniFi port built using the standard setup.
>
> The only places I use dpb are 1) for bulk builds, i.e. building the
> whole set of ports in one go, and 2) if I want to download all the
> distfiles (source code to all the ports) if I want to run a search
> over it all.
>
> It's useful but I would not describe it as useful for what most people
> need to do with the ports tree.
>
> > @Stuart
> >
> > 1. I was able to restore a previous checkpoint (I'm in a virtual
> > machine) where the port tree was freshly installed.
> > 2. I ran `make install` in the correct directory ( thank you:
> > `/usr/ports/net/unifi/6.2`) and piped the results to a log.txt file.
>
> I really recommend using FETCH_PACKAGES so you aren't spending hours
> building difficult-to-build ports needlessly, unifi itself cannot be
> distributed as packages, but the other software which it requires aren't
> a problem. i.e. this bit from my mail:
>
> >> memory limits, you probably want to install those from packages instead
> >> ("make FETCH_PACKAGES= install" should do that - the unifi port would
> >> have displayed a hint about this when you ran "make").
>
>
> > 3. I wish I could figure out how to get the dang log.txt file out of
> > the OpenBSD VM (email?, USB thumbdrive?, other?) and into your hands!
>
> the easiest options are based around connecting to the machine by ssh
> e.g.
>
> - ssh in, copy and paste from the terminal
> - scp or sftp the file to another machine
>
> > - Seems like an act of congress to setup external email. At least
> > I can't find a simple example on the web
>
> either use a mail client that can connect to your mail server directly,
> or use something like this
> https://blog.joelg.net/post/2020-09-20-setting-up-opensmtpd-with-an-external-relay/
>
> if you need to use a From address that is something other than
> @ then it gets more complicated
>
> > - It'll probably be easier for me to determine how to add USB
> > drives to the VM (working on it)
> > 4. I can't tell whether the `make install` worked or not
>
> "pkg_info | grep unifi" will show some output if it is installed
>
Re: How to rebuild the ports tree?
@Crystal
> If you want to work with the ports tree, it's _much_ better to set up
> DPB than just running 'make' in the various directories:
Very cool blog! I def spent some time reading. The dpb method feels
like a litle too advanced for me at this moment. I'm struggling to
get this UniFi port built using the standard setup.
---
@Stuart
1. I was able to restore a previous checkpoint (I'm in a virtual
machine) where the port tree was freshly installed.
2. I ran `make install` in the correct directory ( thank you:
`/usr/ports/net/unifi/6.2`) and piped the results to a log.txt file.
3. I wish I could figure out how to get the dang log.txt file out of
the OpenBSD VM (email?, USB thumbdrive?, other?) and into your hands!
- Seems like an act of congress to setup external email. At least
I can't find a simple example on the web
- It'll probably be easier for me to determine how to add USB
drives to the VM (working on it)
4. I can't tell whether the `make install` worked or not
- Running `pkg_add unifi` results in:
- 'quirks-4.54 signed on 2022-03-26T14:02:42Z /n Can't find unifi`
On Thu, Mar 31, 2022 at 5:53 PM Stuart Henderson
wrote:
>
> On 2022-03-31, Eric Thomas wrote:
> > --c9bb7b05db88e7ee
> > Content-Type: text/plain; charset="UTF-8"
> >
> > I'm stuck. I need to install the UniFi 6.2.26 port, I used the [FAQ to
> > setup the ports tree](https://www.openbsd.org/faq/ports/ports.html).
> > This seemed to work just fine. However, the last few messages in the
> > `make install` output showed errors. To debug the issue, I decided to
> > completely uninstall the UniFi port then pipe the `make install`
> > output to a log.txt.
>
> As you mentioned 6.2 and this shows 5.6 you'll want to cd into the
> relevant subdirectory of /usr/ports/net/unifi.
>
> Compiling mongodb and java aren't very much fun and may need raised
> memory limits, you probably want to install those from packages instead
> ("make FETCH_PACKAGES= install" should do that - the unifi port would
> have displayed a hint about this when you ran "make").
>
> > To uninstall:
> >
> > - TRIED: `make uninstall`
> > - ERROR: `make: don't know how to make uninstall`
>
> This would be "make deinstall", but it isn't installed yet, what you
> showed is where it was trying to compile/install the dependencies.
>
> > Content-Type: image/png; name="image.png"
>
> Hopefully that will help, if not please copy the text from a terminal
> rather than send a screenshot, it may be helpful to scroll up a bit
> to show preceding lines too.
>
How to rebuild the ports tree?
I'm stuck. I need to install the UniFi 6.2.26 port, I used the [FAQ to setup the ports tree](https://www.openbsd.org/faq/ports/ports.html). This seemed to work just fine. However, the last few messages in the `make install` output showed errors. To debug the issue, I decided to completely uninstall the UniFi port then pipe the `make install` output to a log.txt. To uninstall: - TRIED: `make uninstall` - ERROR: `make: don't know how to make uninstall` - TRIED: - `make clean` - `pkg_delete -a` - `make clean=dist` - `make clean=packages` - `make install` - ERRORS: MANY (attached) The question is, how to I just rebuild the ports tree and/or get it back in a known good state?
How to determine if WiFi AP is compatible?
I'm trying to determine if a WiFi AP is compatible with OpenBSD. For example, checking the [Wireless FAQ's]( https://www.openbsd.org/faq/faq6.html#Wireless), I don't see whether the chipset used by the [UniFi Access Point WiFe 6 Pro]( https://dl.ui.com/ds/u6-pro_ds.pdf) is compatible or not. I want to know if I need use a particular [switch]( https://store.ui.com/collections/unifi-network-switching/products/usw-lite-16-poe) to plug the WiFi AP into, or whether I can plug the WiFi AP directly into the OpenBSD server. Sheet of music: https://i.stack.imgur.com/IkBMf.png
OpenBSD Home Server + Workstation on same machine?
Hello, I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) and generally harden my home network using OpenBSD. Can I use OpenBSD services AND have it act as a desktop workstation on the same machine? Ref: https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine Thanks, Eric
